Security issue: Unauthorized copy of default-config to startup-config via REST API in version 8.0.13 #894
Description
After upgrading to confd version 8.0.13, users without admission permissions are able to copy default-config to startup-config through the REST API. This presents a security risk as unauthorized users should not have the ability to perform this action.
Steps to reproduce:
- Upgrade to confd version 8.0.13
- Attempt to copy
default-configtostartup-configvia the REST API as a user without admission permissions
Expected behavior:
The operation should be denied for users without admission permissions.
Actual behavior:
The operation is allowed even without the required permissions.
Impact:
Users without proper permissions can modify configuration, which may lead to security risks.
Please investigate and address this issue.
Logs:
[root@orro-bne3-slx1]# curl -v -u user:password -d 'running-configstartup-config' http://10.152.3.145/rest/operations/bna-config-cmd
- Trying 10.152.3.145...
- TCP_NODELAY set
- Connected to 10.152.3.145 (10.152.3.145) port 80 (#0)
- Server auth using Basic with user 'user'
POST /rest/operations/bna-config-cmd HTTP/1.1
Host: 10.152.3.145
Authorization: Basic dXNlcjpwYXNzd29yZA==
User-Agent: curl/7.61.0
Accept: /
Content-Length: 85
Content-Type: application/x-www-form-urlencoded
- upload completely sent off: 85 out of 85 bytes
< HTTP/1.1 200 OK
< Date: Fri, 08 Aug 2025 16:58:04 GMT
< Server: SLX-OS WWW
< Authentication-Token: O2gzOFhiaklJSENaY21gMEhKY0xgRG84W3N7WVY8Xkk=
< Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
< Content-Length: 120
< Content-Type: application/vnd.yang.operation+xml
< Pragma: no-cache
< Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< X-Forwarded-Proto: http
<